Method and apparatus for on-site authorisation

ABSTRACT

A method for authorization of a user to access a computer system locally at a site is described. The computer system determines whether a network connection to a remote authentication source is available. If the network connection is available, the computer system authenticates the user by interaction with the remote authentication source. If the network connection is not available, the computer system authenticates the user against a credential provided by the user. In this case, the credential will have been provided by or validated by the remote authentication source less than a predetermined time prior to the authenticating step, and the credential is a certificate issued by a certificate authority already trusted by the computer system and valid for a predetermined period of time. A suitable computer system is also described.

TECHNICAL FIELD

The invention relates to method and apparatus for providing on-siteauthorisation to computing resources. The invention has particularrelevance to providing on-site authorisation to access for computingresources at a site remote from a central authorisation server and onlyintermittently in network communication with it. This is especiallyrelevant to the provision of access to power generation facilities, andin particularly wind farms, which are typically constructed in locationswhere network access is difficult to provide continuously.

BACKGROUND TO THE INVENTION

Wind farms, and similar power generation facilities, are frequentlycontrolled and monitored remotely. Systems providing such supervisorycontrol and monitoring are generally referred to as SCADA (supervisorycontrol and data acquisition) systems—these involve a central systemwhich provides high level supervision and control, but rely on localimplementation of control and monitoring processes. These are performedby local systems at the relevant site—for example, at an individual wind“park”.

Authorisation and access control may be achieved conventionally withoutdifficulty where all control is mediated effectively through a centralserver. A conventional AAA (authentication, authorization andaccounting) server or similar functionality may be used at the centralsite, and access control of whatever type is required can be used toallow access to SCADA control of individual parks. This may allowwhatever mixture of permissions can be provided in conventional systems(for instance, to allow control to the customer, but to allow access tomaintenance functions to a park provider and maintenance access toindividual engineers).

In some situations, local access to systems will be required. This maybe needed for on-site maintenance, or during the construction of thepark. Given the remote location of many wind parks and their inherentchallenges for network access (high winds will typically disrupt radiocommunication, for example), authorisation through a central server willfrequently be problematic. Conventional authorisation solutions can beused, but are problematic. A conventional approach would involveallowing a remote location to authenticate on the basis of certificatesprovided by a trusted Certification Authority, which allows for localauthentication and hence authorisation without network access providedthat the local site has sufficient confidence that the certificates thatit checks are still valid. This can be done by regular receipt of CRLs(Certificate Revocation Lists) from the Certification Authority so thatcertificates that are no longer valid can be identified.

This approach requires regular network traffic to provide satisfactoryconfidence that all certificates are valid, and so may be problematic ifnetwork connectivity is lost for a significant length of time (which maybe particularly likely if maintenance is required). Moreover, in manyjurisdictions, security requirements for power plants require there tobe a centrally managed list of personnel authorized to access plantassets with an associated list of allowed operations for each identifiedperson. Such requirements may require, as is the case in those made bythe North American Electric Reliability Corporation (NERC), which isresponsible for reliability standards for the North American grid, thatit be possible to change and/or revoke permissions and demonstrate thatthis has been done within a 24 hour period. This is particularlychallenging to achieve for remote assets with intermittent networkaccess without inhibiting necessary maintenance access.

While this problem is considered here particularly in the power plantmanagement domain, issues of local authentication and authorisation mayarise in many other domains, and solutions may thus be applicable inother technical and commercial areas.

SUMMARY OF THE INVENTION

According to one aspect of the present invention, there is provided amethod for authorisation of a user to access a computer system locallyat a site, the method comprising: the computer system determiningwhether a network connection to a remote authentication source isavailable; if the network connection is available, the computer systemauthenticating the user by interaction with the remote authenticationsource; if the network connection is not available, the computer systemauthenticating the user against a credential provided by the user,wherein the credential is a certificate issued by a certificateauthority already trusted by the computer system and valid for apredetermined period of time.

This approach allows for effective authorisation of a local user,combining security and practicality. A high level of security isachieved if the credential has been provided by or validated by theremote authentication source less than a predetermined time prior to theauthenticating step, particularly where the predetermined time is 24hours or less. This allows compliance with audit requirements (such asNERC requirements) which require control over user access permissions tobe met over such a timescale to be achieved. This can be achieved by useof certificates with periods of validity of the predetermined time (orless).

Preferably, if the network connection is available, the computer systemauthenticates the user both by interaction with the remoteauthentication source and against the credential provided by the user.

In a preferred arrangement, the computer system authorises a user toaccess resources at the site on the basis of the user credential. Insuch a case, if the computer system also holds one or more certificatesissued by the certificate authority relating to permissions forresources at the site, access to specific resources may be permitted ifthis is allowed by both the user credential and the one or morecertificates held by the computer system.

This allows for a simple and efficient system to be developed for accessto resources at the site. It is particularly effective forimplementation of role-based access control—preferably, the usercredential indicates a user role, and access to resources is allowed bythe computer system consistent with that user role.

A method of controlling access to a power generation facility, whereinaccess comprises monitoring, controlling, or both monitoring andcontrolling operation of the power generation facility, may use such anapproach. Such a method may comprise authorising a user to access acomputer system of the power generation facility by the methods set outabove, and allowing access to the user when authorised. This isespecially true where the power generation facility is a wind park, asthis allows for appropriate monitoring and control by both the customerand the service provider who has established and managed the park. Insuch a case, the computer system may be a SCADA server of the wind park,or may even be comprised within a wind turbine of the wind park.

In a further aspect, the invention provides a computer system adapted toauthorise local access of a user at a site, wherein the computer systemis adapted to determine whether a network connection to a remoteauthentication source is available; whereby if the network connection isavailable, the computer system authenticates the user by interactionwith the remote authentication source; and whereby if the networkconnection is not available, the computer system authenticates the useragainst a credential provided by the user, wherein the credential is acertificate issued by a certificate authority already trusted by thecomputer system and valid for a predetermined period of time.

Advantageously, the computer system authorises a user to accessresources at the site on the basis of the user credential, andpreferably, the user credential is a certificate issued by or on behalfof a certificate authority trusted by the computer system, and thecomputer system holds one or more certificates issued by the certificateauthority relating to permissions for resources at the site, and whereinaccess to specific resources is permitted if this is allowed by both theuser credential and the one or more certificates held by the computersystem.

A power generation facility may comprise a wind park and a computersystem as set out above for controlling access to the wind park, whereinaccess comprises monitoring, controlling, or both monitoring andcontrolling operation of the wind park. The computer system describedabove may then be a SCADA server of the wind park, or may be comprisedwithin a wind turbine.

In a further aspect, the invention provides a method for a user toobtain access to a trust domain, wherein the trust domain comprises acomputer system accessed locally at a site and an authentication sourceremote from the computer system, the method comprising: the useraccessing the trust domain by interaction with the authentication sourceand receiving a certificate issued by a certificate authority alreadytrusted by the computer system and valid for a predetermined period oftime; the user subsequently attempting to access the computer systemlocally at the site, and if there is no network connection at the site,providing the certificate as a credential for authentication for theuser to obtain access to the computer system.

Preferably, on every access to the trust domain by interaction with theauthentication source the user receives a new certificate valid for apredetermined period of time. This predetermined time may be 24 hours orless.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention will now be described, by way of example only, byreference to the following drawings in which:

FIG. 1 shows the elements of a wind park control system in whichembodiments of the invention can be used;

FIG. 2 illustrates the use of Certification Authorities in authorisationfor the system of FIG. 1;

FIGS. 3A and 3B illustrates use of certificates in authorisation in thesystem of FIG. 1;

FIG. 4 illustrates schematically a method of on-site authorisationaccording to one embodiment of the invention and suitable for use in thesystem of FIG. 1; and

FIG. 5 illustrates schematically a system for certificate renewal foruse by individual users of the system of FIG. 1.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

FIG. 1 shows the elements of a wind park controlled using SCADA. In thiscase, the wind park was established by a service provider (typically themanufacturer and installer of the wind park) but is operated by acustomer, with the service provider retaining certain responsibilitiessuch as maintenance. This means that access to park assets is requiredby the customer, the service provider, and in particular by namedemployees of the service provider required to conduct on-sitemaintenance.

FIG. 1 shows that a wind park 6 contains a number of wind turbines 5under the control of a SCADA server 1. In practice, access to the SCADAserver 1 will generally be made remotely from a service provider server2 or from a customer server 3, or perhaps directly by a suitablyauthorised person such as a service provider technician, shown here asconnecting to the SCADA server 1 through technician client computer 4.Such clients will need to obtain credentials or some other verifiablepermission from a root of trust—shown here as accessed through theservice provider server 2—so that they can be authenticated and henceauthorised by the SCADA server 1. In situations of interest, the networkaccess to the park (shown as 8) will be intermittent, rendering itimpossible to guarantee that the SCADA server 1 can interact with theservice provider server 2 or the customer server 3 directly. Aparticular situation of interest is where a technician, here shown bylocal access client 7, requires access to wind park resources controlledby the SCADA server 1 when network access 8 to the wind park 6 isunavailable.

The basic trust relationship between the different elements is shown inFIG. 2. Trust relationships are established with reference to one ormore Certificate Authorities (CA). These provide the root of trust forauthentication and hence authorisation for access to facilities throughthe SCADA server 1. In the arrangement shown, the service providerserver 2 has a service provider CA 22 and the customer server 3 has acustomer CA 23 within their respective domains, though trusted thirdparty CAs could also be used. Certificates 20 are issued by, orauthority to issue them is delegated by, these CAs to providecredentials used in authentication and used for authorisation by theSCADA server 1. Certificates may be, for example, conventional X.509certificates issued under the X.509 system (as set out, for example, inRFC 5280 produced by the IETF).

The set of certificates produced will depend on the desired chain oftrust, and on the individual entities that need to control or becontrolled. In the case of the wind park shown in FIG. 1, the serviceprovider 2 may have one main certificate (possibly with severaladditional certificates for different business functions), and thecustomer 3 will similarly have at least one main certificate. There maybe multiple “main” certificates with different CAs. Individuals grantedrights to access the park in some way—such as service providertechnicians—will have their own certificates with some subset of thepermissions allowed to the party granting them this access. The parkitself (here embodied by SCADA server 1) has its own certificate showingits identity, together with one or more Park Access Certificates (PACs)for each CA able to grant permissions for park access, which will thenbe used by the SCADA server 1 to complete the authorisation process.These PACs (which may for example be related to the customer, or theservice provider, or some subset of the employees or agents of either)will be installed securely in the park—this may be done on initialcommissioning of the park, or subsequently under the authority of aspecific CA designated for the purpose—this CA would need to hold anappropriate certificate for this purpose. If control is determined atthe level of individual wind turbines (rather than, or as well as, atthe SCADA server 1) then these also require identity and PACcertificates.

These certificates will typically be issued to individual users, andwill indicate both the specific permissions that those users have beengiven and who has granted these permissions. In this way, a certificatewill provide not only a set of permissions but also a hierarchy of trustassociated with these permissions. These certificates may indicateassigned user roles, and be used as part of a system of Role BasedAccess Control (RBAC). RBAC need not be used in all embodiments of thepresent invention and described embodiments are not limited to anyspecific RBAC mechanism—as the person skilled in the art willappreciate, any suitable RBAC system may be used in the embodimentsdescribed, and embodiments of the invention can be used without use ofany form of RBAC. Permissions associated with roles may include fullcontrol (as may be needed by a technician carrying out a significantmaintenance operation), limited control (as may be required by atechnician carrying out routine maintenance), view/read access (requiredfor monitoring) or customer access (enabling a limited set of controland monitoring operations).

Individual users may operate within, or have access to, a trust domainmanaged by a directory service—this may be for example an implementationof Microsoft Active Directory. In the arrangement shown, the serviceprovider server 2 has a service provider directory 12 and the customerserver 3 has a customer directory 13. As is shown in FIG. 2, technicianclient computer 4 has access to the service provider trust domainthrough the service provider directory 12. The service providerdirectory 12 can thus authenticate the technician client computer 4 andcan provide it with certificates as required when satisfactorilyauthenticated. When in network communication with the service providerdirectory 12, local access client 7 (assuming that it is also part ofthe service provider trust domain) can also be authenticated by theservice provider directory 12 and provided with certificates by it.Again, this can be carried out by conventional procedures such as thoseemployed in standard implementations of Microsoft Active Directory.

Provision of certificates, and authentication and authorisationinformation exchanges, should take place in such a way as to ensure thatthe information exchanged is secure. If both parties are within a securedomain—for example, if both parties and the connection between them areall within the same firewall—it may not be necessary for communicationbetween the parties to be encrypted. If messages need to travel on apublic network, it will be desirable for some form of encryption to beused, such as that provided by TLS (Transport Layer Security) or SSL(Secure Sockets Layer). The skilled person will appreciate thatconventional approaches may be used to implement TLS (for example,according to the processes set out in RFC 5246, which sets out version1.2 of the TLS protocol), and that embodiments of the invention asdescribed below do not rely on or require any specific approach toproviding secure communication between elements of the system shown inFIG. 1. To implement the provision of a secure channel using TLS, thedifferent parties involved in establishing a channel will need to beable to sign messages with their own private key, and to make theircorresponding public key available to be used by the other party.

As previously indicated, authorisation requires an exchange ofcertificates. Certificates for the park resources and the SCADA server 1will generally have been provided on construction of the park (or at alater date by the park service provider)—by whatever mechanism, thesewill have been installed in the SCADA server 1 or in another relevantpark resource in such a wa as to provide an acceptable level of security(for example, that mandated by NERC). As described above, certificatesthat can be used to obtain access to park resources are here termed ParkAccess Certificates (PACs)—a set of PACs will be provided for the parkfor use by the SCADA server 1 in authentication and authorisation. Aclient certificate will generally have been provided by, or on authoritydelegated by, a relevant CA for that client which has been provided witha PAC—this CA will thus be one recognised by the SCADA server 1 andhence by park resources as a CA with authority to provide permissionsrelating to park resources.

Certificates may be used both in the establishment of a secureconnection between a remote client or server and the SCADA server 1 andin the authorisation process. These roles are indicated in FIGS. 3A and3B respectfully.

FIG. 3A shows the use of certificates in establishing a secure remoteconnection. The SCADA server 1 is adapted not to accept a remoteconnection unless there is a satisfactory match between a PACcertificate in its collection and the client certificate provided to it.In the example shown, the required match is between the following:

“Authority Key Identifier” for the client and “Subject Key Identifier”for the PAC;

the key used to sign the client certificate and the public key of thePAC certificate; and

“Issuer” for the client certificate and “Subject” for the PACcertificate.

Once a secure connection is established, authorisation can take place.At this point, it has been established that the client/server seekingaccess to park resources has a CA trusted by the park. It is thennecessary to determine which permissions the client/server seekingaccess has, and so what park resources can be accessed. FIG. 3Bindicates the position for a user who has a permission through aparticular certificate path. The permissions allowed are those providedby the overlap of all certificates in the path—in the case shown here,the user will have permissions for roles A and C, as these are providedby all certificates in the path. These permissions may correspond todifferent roles of an RBAC system. If a user requires a different role,it is possible that this may be achievable by using a different clientcertificate, as this may lead to a different set of permissions.

The approach described above is appropriate for remote access to a SCADAserver 1. For local access to a SCADA server 1, at least two differenttypes of approach to authorisation may be used to authorise a localclient trying to access the park resources that it controls: oneapproach requires network connectivity, whereas in the other approachauthorisation can be carried out without network connectivity. Bothinvolve the use of certificates from each party (the party seekingaccess, and the party providing access) as a part of the authorisationprocess essentially as described above.

In either case, a practical issue is that of whether a certificateissued to a client is still valid, or has subsequently been revoked—thismay be particularly relevant for certificates related specifically toprovision of access to park resources, which will need to stayconsistent with the role and status of individual users. In an approachwhere there is network connectivity available, validity can bedetermined at the time of authorisation—as a part of the authorisationprocess the SCADA server 1 can request information on certificatevalidity. This may be provided by Certificate Revocation Lists (CRLs)issued by the CAs, which may be made publicly available by the CAs atregular intervals, or may be requested by an online enquiry using OnlineCertificate Status Protocol (OCSP) as described in RFC 2560 produced bythe IETF. In OCSP, the SCADA server 1 can enquire about certificatestatus directly to an OCSP server acting for the relevant CA.

Where there is no network connectivity, the SCADA server 1 will need torely on data already received. These may include CRLs already providedby the CAs, which may be obtained by the SCADA server 1 regularly whennetwork connectivity exists. Other requirements of thesystem—establishing that a certificate was validly issued and associatedclient permissions—can be established directly between the SCADA server1 and the local client 7 without the need for network connectivity onthe basis of keys and certificates held by the two parties.

A difficulty with this approach is that if the SCADA server 1 has beenoffline for a significant period, then the risk becomes significant thatthe client certificate may have been revoked. This may also lead to abreach of security requirements, such as the cyber security standardsset down by the North American Electric Reliability Corporation (NERC),which mandate that it be possible to change and/or revoke permissionsand demonstrate that this has been done within a 24 hour period.

FIG. 4 indicates an approach to providing on-site authorisationaccording to an embodiment of the invention. A local client 7 seeksaccess to a SCADA server 1. First of all, the SCADA server 1 tries toestablish (step 41) whether there is network connectivity, which willallow it to use remote resources (such as an OCSP server acting for aCA) in the authorisation process. If there is network connectivity,remote resources are used (step 42) to determine whether the localclient certificate is currently valid (failure to establish validitywill result in denial of access and a log of the failed attempt). Ifthere is no network connectivity, direct evaluation of the local clientcertificate (step 43) is used to determine whether to allow the localclient 7 access to park resources. If there is network connectivity,direct evaluation of the local client certificate and use of remoteresources may be used together in the authorisation decision.

The remote resources may not necessarily be an OCSP server. One solutionwhere there is network connectivity is for the local client 7 to log into the trust domain (provide username and password, for example) in thenormal manner. In this way the status of the user is checked directly toensure that he or she is still a part of the trust domain.

In order to provide a high level of security for this solution, thelocal client certificate is valid only for a short duration. Typicallyan X.509 certificate will have a defined period of validity, but thiswill typically be months or years. Providing short periods of validitywould generally be seen as highly disadvantageous, as it would requireregular replacement of certificates. A short period of validity mayhowever be used advantageously in this arrangement, as it allowscompliance with security requirements—if it is necessary to show thatpermissions can be demonstrably revoked or changed within 24 hours,issuance of certificates with a 24 hour or shorter duration (forexample, 12 hours, which may be practical to allow a technician aworking day at the site) provides immediate evidence of compliance. Asthe certification authority is already trusted by the SCADA server 1,this approach allows a user to be given authorised access to siteresources even when the SCADA server 1 has had no network connectivityfrom before the certificate was issued to the user.

While this solution appears to create an additional burden in the needto reissue certificates, this can be addressed effectively byestablishing an automated enrolling process to ensure that certificatesare regularly issued to relevant users. Such a process is indicated inFIG. 5.

The process is carried out when the user logs in to the directoryservice of the relevant trust domain. On log in (step 51), the trustdomain determines whether the user is automatically enrolled to aprocess of certificate replacement for one or more certificates issuedby its associated CA (step 52) or if new certificates should be issuedfor that user role. A certificate template should be available for eachtype of certificate requiring issue or replacement, so the system burdenin generating frequent new certificates would be small. Certificates maybe renewed even if currently valid and active, to ensure that the userwill have use of the certificate for the full certificate lifetime fromlog in (reducing the risk that the user will be deprived of access byunexpected certificate expiration). If the user is automaticallyenrolled, the replacement or new certificates are issued (possibly byrequest to the CA—in practice the normal approach will be for authorityfor such certificates to have been delegated by the CA to the relevantdirectory service) to the user (step 53). The newly issued certificatescan then be used for local access to the SCADA server 1 as a localaccess client 7, and use of the certificates can be logged at the SCADAserver 1 (typically by recording a hash of a relevant certificate valuewith a log of associated park activity).

A technician seeking to access the SCADA server 1 locally wouldtherefore generally log in to his trust domain before travelling to thepark itself and obtain a certificate valid for the duration of thevisit. Access to park resources through the SCADA server 1 would thus beachievable whether or not there was network connectivity to the SCADAserver 1.

While embodiments described here relate to access to the SCADA server 1,this approach does not rely on the presence of a SCADA server at thepark. Alternatively, this approach could be used to access wind turbinesdirectly. If this was to be done, individual wind turbines would requirethe same facilities as are here indicated as available to the SCADAserver (a private key, PAC certificates relating to appropriate parkresources, which in this case may relate only to that wind turbine).

The approach described here should be used in accordance withappropriate security mechanisms to keep secrets sufficiently secure.This may be done according to known approaches: a private key of aserver or client computer may be stored within a Trusted Platform Module(TPM), whereas a private key of an inaccessable structure such as a windturbine may be simply stored in a part of the turbine difficult toaccess physically.

As is described above, aspects of the invention as described and claimedhere are advantageous to allow reliable and secure authorisation toresources at a site even when network connectivity to the site isintermittent at best.

The invention claimed is:
 1. A method for authorisation of a user toaccess a computer system locally at a power generation facility, themethod comprising: the computer system determining whether a networkconnection to a remote authentication source is available; if thenetwork connection is available, the computer system authenticating theuser by interaction with the remote authentication source; if thenetwork connection is not available, the computer system authenticatingthe user against a credential provided by the user, wherein thecredential is a certificate issued by a certificate authority alreadytrusted by the computer system and valid for a predetermined period oftime, wherein the credential has been provided to the user by, orvalidated by the remote authentication source, less than a predeterminedtime prior to attempting to authenticate the user, and wherein thepredetermined period of time is selected to comply with a regulatoryrequirement for revoking access to the computer system by the userfollowing the user's authorization to access the computer system beingrevoked.
 2. The method of claim 1, wherein the predetermined time is 24hours or less.
 3. The method of claim 1, wherein if the networkconnection is available, the computer system authenticates the user bothby interaction with the remote authentication source and against thecredential provided by the user.
 4. The method of claim 1, wherein thecomputer system authorises the user to access resources at the powergeneration facility on the basis of the user credential.
 5. The methodof claim 4, wherein the computer system holds one or more certificatesissued by the certificate authority relating to permissions forresources at the power generation facility, and wherein access tospecific resources is permitted if this is allowed by both the usercredential and the one or more certificates held by the computer system.6. The method of claim 4, wherein the user credential indicates a userrole, and access to resources is allowed by the computer systemconsistent with that user role.
 7. The method of claim 1 wherein thepower generation facility is a wind park.
 8. The method of claim 7,wherein the computer system is a SCADA server of the wind park.
 9. Themethod of claim 7, wherein the computer system is comprised within awind turbine of the wind park.
 10. A computer system adapted toauthorise local access of a user at a site, wherein the computer systemcomprises: one or more processors programmed to determine whether anetwork connection to a remote authentication source is available;whereby if the network connection is available, the computer systemauthenticates the user by interaction with the remote authenticationsource; and whereby if the network connection is not available, thecomputer system authenticates the user against a credential provided bythe user, wherein the credential is a certificate issued by acertificate authority already trusted by the computer system and validfor a predetermined period of time, wherein the credential has beenprovided to the user by, or validated by the remote authenticationsource, less than a predetermined time prior to attempting toauthenticate the user, and wherein the predetermined period of time isselected to comply with a regulatory requirement for revoking access tothe computer system by the user following the user's authorization toaccess the computer system being revoked.
 11. The computer system ofclaim 10, wherein the computer system authorises a user to accessresources at the site on the basis of the user credential.
 12. Thecomputer system of claim 11, wherein the computer system holds one ormore certificates issued by the certificate authority relating topermissions for resources at the site, and wherein access to specificresources is permitted if this is allowed by both the user credentialand the one or more certificates held by the computer system.
 13. Apower generation facility comprising: a wind park; and a computersystem, for controlling access to the wind park, wherein accesscomprises monitoring, controlling, or both monitoring and controllingoperation of the wind park; wherein the computer system comprises: oneor more processors programmed to determine whether a network connectionto a remote authentication source is available; whereby if the networkconnection is available, the computer system authenticates the user byinteraction with the remote authentication source; and whereby if thenetwork connection is not available, the computer system authenticatesthe user against a credential provided by the user, wherein thecredential is a certificate issued by a certificate authority alreadytrusted by the computer system and valid for a predetermined period oftime, wherein the credential has been provided to the user by, orvalidated by the remote authentication source, less than a predeterminedtime prior to attempting to authenticate the user, and wherein thepredetermined period of time is selected to comply with a regulatoryrequirement for revoking access to the computer system by the userfollowing the user's authorization to access the computer system beingrevoked.
 14. The power generation facility of claim 13, wherein thecomputer system is a SCADA server of the wind park.
 15. The powergeneration facility of claim 13 comprising one or more wind turbineseach comprising a computer system as claimed in claim 10.